WARNING this article is out of date - please refer to more recent documentation.
Starting from version 6.2 access to Teiid runtime can be secured with user-id and password and prohibit un-authorized access by enabling Identity management. Given a user belongs to set of working "groups" that define his/her allowed permissions in a company, different "roles" can be assigned in the Teiid system based on these groups to provide privileges to access various parts of the system.
Teiid's membership framework allows users to plug-in their own identity management systems, such that Teiid serves as a pass through system for such a management system. Teiid works with the configured membership domain to perform per user identity assertion to grant access and group resolution to determine each user's privileges. Teiid provides membership domain plug-ins for
1. LDAP
2. File based management
File based authentication is easy to setup but only recommended for development purposes. For production use LDAP is recommended. User can write their own membership domains based on Membership API defined by Teiid. See "Server Extensions" guide for more information. Please note that identity management can also be turned off the altogether, which may be appropriate in embedded scenarios where the identity management is handled by a higher layer of the application.
By default user identity checking is turned on in the Teiid system, with a default super user named "admin" with password as "teiid". Using the following properties in the <teiid-install>/deploy.properties file, you control whether membership is enabled or not, the super user credentials and which membership domain to use to manage user accounts.
# # Membership Service Settings (handles the authentication of the user) # membership.enabled=true membership.superUser=admin membership.superUserPassword=teiid membership.DomainOrder=file,ldap membership.allowedHosts=
membership.enabled = true|false - Controls turning identity checking ON or OFF. Note that if identity checking is turned OFF, there will not be any authorization checks, so the system will be wide open for anybody to connect and issue query commands.
membership.superUser - This is name of the super user or root user of the system, who has rights to perform any/all operations in the system
membership.superUserPassword - The password for the super user. Make sure "deploy.properties" is secure such that no un-authorized person can access it. If you do not want show clear text password you can encrypt the password using technique defined here.
membership.DomainOrder -This property has two distinct responsibilities.
- It defines the membership domains to use. For example, by defining "file", Teiid runtime will search for a property file called "membership-file.properties" in "<teiid-install>/deploy" directory. This property file defines all the necessary configuration properties that are required to initialize and plug a "file" membership domain into Teiid runtime. If your membership domain name is "foo", then Teiid will search for "membership-foo.properties" file. The contents of the property file are specific to the membership domain it is initializing. The developer of the membership domain can define them per its needs. However, every property file must provide the following two properties that will enable Teiid to integrate the membership domain into the system.
- activate = true | false - flag to enable or disable membership domain
- AuthDomainClass= class name - java class name that implements the membership domain.
- User can define more than one membership domain to use. Multiple domain names can be specified, delimited by commas. This property also defines the order of membership domains that Teiid system needs to follow in authenticating the user. Teiid will cycle though the all the domains defined to authenticate the user until membership grants access, or tried them all unsucessfully. If none of the membership domains grant access, then user will be denied access to the Teiid system.
membership.allowedHosts - Optionally Teiid can be configured to only accept "superUser" connections from trusted hosts. This property defines host address pattern that defines which client connections are accepted ( ex: 192\.168\.32\.100 or 192\.168\.32\.*). If this property left commented or blank, then superUser connections from any hosts are allowed.
Configuring the Memebership Domains
File Membership Domain
To use file based membership make sure the property "membership.DomainOrder" has the value "file" and there is a "membership-file.properties" file in the "<teiid-install>/deploy" directory (default install already has this defined). The below section defines the "membership-file.properties"
#File based membership domain configuration properties # File Membership Domain Settings (activate, Membership Domain Class Name, Property file for configuration) activate=true # The class that implements the File membership AuthDomainClass=com.metamatrix.platform.security.membership.spi.file.FileMembershipDomain #Location of the properties file containing user name and password entries. usersFile=users.properties #Location of the properties file containing group assignments groupsFile=groups.properties #Check passwords against the users file. checkPassword=true
In addition to above property file, user need to provide two other files that specify the allowed users in "users.properties" file and groups for the users in the "groups.properties" file
A sample "users.properties" is like (sample file attached)
john=mm paul=mm
where each user is specified in one line, with user name to the left of the '=' sign, and password to the right.
A sample "groups.properties" is like
group1=john,paul group2=paul
where each line defines a group, with group name to the left of the '=' sign, and a list of users in the specified group to the right.
Once you provide all the three property files, and make sure the "activate" flag is "true", then you can start using the file based identity assertions. Please note that this membership domain only recommended for development purposes.
LDAP Membership Domain
If your company uses LDAP based authentication, or Active Directory, then use LDAP membership domain to for authentication. Make sure "membership-ldap.properties" file in the "<teiid-install>/deploy" directory and is in following format.
# Configuration file for LDAP membership domain activate=true # The class that implements the LDAP membership AuthDomainClass=com.metamatrix.platform.security.membership.spi.ldap.LDAPMembershipDomain #Full LDAP URL (mandatory) ldapURL= #Bind account password for group lookup. ldapAdmin.password= #The attribute(s) that uniquely identifies a user. users.displayName.attribute = uid #The search filter(s) to apply to each users root context. users.searchFilter=(objectclass=*) #Specifies the context(s) to use when searching for users.(mandatory) users.rootContext= #Bind account DN for group lookup. ldapAdmin.dn= #Attribute(s) that appears on each user that identifies group membership. users.memberOf.attribute= #The attribute(s) that uniquely identifies a group. groups.displayName.attribute= #How far down the directory tree to search each users root context. users.searchScope=SUBTREE_SCOPE #Specifies the context(s) to use when searching for groups.(mandatory) groups.rootContext= #The search filter(s) to apply to each groups root context groups.searchFilter=(objectclass=*) #How far down the directory tree to search each groups root context. groups.searchScope=SUBTREE_SCOPE #Time to wait for LDAP operations to complete. txnTimeoutInMillis= #The attribute(s) that contains the members of the group. groups.groupMember.attribute=
A sample file is attached at the end.
Comments